Real-Time Attack Monitoring on TelecomNetwork Using Open-Source Darknet

and Honeypot Setup

L. Sivakamy1, S. Pradheepkumar1, A. Sivabalan1

and Anand R. Prasad2

1NEC Technologies India Private Ltd, India2NEC Corporation, JapanE-mail: sivakamy.l@india.nec.com; pradheepkumar.s@india.nec.com;sivabalan.arumugam@india.nec.com; anand@bq.jp.nec.com

Received 02 August 2017;Accepted 18 January 2018

Abstract

The traditional use of darknets is to passively monitor malicious traffic in anetwork. In this paper, we describe an experimental setup that leverages thisproperty of the darknet in a network monitoring setup coupled with severalhoneypot servers. The honeypots are configured as a decoy to lure cyberattacks on the network. The cyber-security test-bed thus designed enables usto monitor an end-to-end mobile communication network test-bed [1] anddetect attacks on the network in real-time. After successful trial runs, theresults and alert incidents show that the cyber-security setup is efficient indetecting malicious activity in the network.

Keywords: Darknet, Alerts, Cybersecurity, Honeypots, Cyber attacks, Net-work monitoring, Malware detection.

1 Introduction

A darknet is a portion of unallocated Internet Protocol (IP) address space inwhich no responsive servers typically reside [2]. It is most unlikely that such

Journal of ICT, Vol. 5 2, 187–202.doi: 10.13052/jicts2245-800X.524This is an Open Access publication. c© 2018 the Author(s). All rights reserved.

188 L. Sivakamy et al.

unused IP addresses receive packets on usual Internet usage. So, if one doesappear, it is either because of misconfiguration or due to malicious activitiessuch as malware scanning for vulnerable devices. Such scans can be spottedby security administrators, without the need for complicated analysis gear orany false positives. Darknet monitoring requires the setup of servers calledDarknet Sensors, which act as sinkholes for all packets addressed to the darknetIP addresses [3].

The Darknet sensors have predominantly been used only for passivenetwork monitoring and alert generation [3–5]. In this paper, we extend thecapability of the sensors to conduct deep packet inspection on the capturedinbound packets. The analysis pertains to the origin of attacks and the approachof attacks (threat model). In order to detect more types of attacks, honeypots[6] are configured in the same network as the darknet IP addresses. Thesehoneypots act as deception traps that entice attackers to spend time onthe services employed. The analysis of the myriad of attacks is vital indiscovering vulnerabilities in the network design, strengthening the actualnetwork and inoculating and immunizing the network against possible attacksin future.

To identify possible attacks on the network and generate alerts, rule-based and signature-based detection techniques were used. Signature-baseddetection works by comparing the logged packet to a list of previouslyknown attack signatures, mostly using string comparison operations. But,this technique is largely ineffective in detecting previously unknown threats,variants of known threats and more importantly, the latest and recently reportedthreats [7]. The proposed test-bed overcomes this shortcoming by extendingthe functionality of the darknet sensor server to dynamically detect even themost recent malware signatures from latest online malware/threat databases.This paper explains the design, development, and implementation of a test-bed that consists of a sensor server that monitors all the traffic destined tohoneypot servers and identifies real-time threats to the monitored network(s).As a practical use-case in this paper, the test-bed is extended to monitormobile communication network [1] to identify real-time threats and potentialattacks.

The organization of the paper is as follows. In Section 2, we give anoverview of the previous work which have shown the feasibility of usingdarknets for monitoring networks. In Section 3, we discuss the test-bedarchitecture. We also explain the overall implementation of the test-bed inSection 4. The results are discussed in Section 5. Conclusion and future workare elicited in Section 6.

Real-Time Attack Monitoring on Telecom Network Using Open-Source Darknet 189

2 Related Work

This section elicits the related work carried out around the world with respectto darknets and monitoring live networks.

Cooke, Baily, Watson and Jahanian proposed a distributed global Internetmonitoring system whose goal was to track measure and characterize threats.They introduced the concept of Internet Motion Sensor (IMS) that employsa distributed infrastructure that makes use of sensors that actively categorizeIP addresses. The active component in the blackhole sensors only respondsto Transmission Control Protocol (TCP) connection requests. The paper alsodiscusses a technical study of various internet threat monitoring architecturesand the advantages of employing sensor-based alert systems [8].

Yegneshwaran, Barford and Plonka discussed the prospects of monitoringboth used and unused addresses in order to improve the effectiveness andperspective of Intrusion Detection Systems (IDSs). They propose architectureto create sinkholes (iSink) for packets addressed to the target addresses.Unused addresses tend to respond easily to packets and the information aboutincoming packets are logged in the sinkhole. This paves way for passive packetcapture and analysis [3].

Moore et al. discussed the prevalence of Denial of Service (DoS) attacksto quantitatively assess the nature of such threats in the long run. Theyanalysed several threats including IP Spoofing and Backscatter worms usingan experimental platform of few /8 addresses. They had captured around12,805 attacks over the course of one week. They presented a new techniquecalled “backscatter analysis” to estimate and quantify DoS attacks directed atspecific internet services [4].

Yegneshwaran et al. discussed the concept of “background radiation” thatreflects and reveals incessant internet activity, either malicious or benign.They deployed sinkholes on the intra-campus routers that filter all the trafficfor active trace collection. They analyse the activity across their campus andvisualize the traffic using line graphs and bar charts [3].

Moore et al. presented a technical report titled “Network Telescope” thatmonitors over 160,000 addresses for backscatters and worms. It was a projectfunded by the Cooperative Association for Internet Data Analysis (CAIDA)in the U.S [5].

Oberhide, Karir, Meo characterized the behaviour of dark Domain NameService (DNS) – the DNS queries that are associated with darknet addresses.They acquired two class B subnets and delegated DNS authority for these to thecollector. Initially, they passively recorded all incoming traffic in the collector.

190 L. Sivakamy et al.

Later, they extended the framework by replying with a NXDOMAIN (non-existence) error code. They analysed the unusual distribution in the numberof queries, target IP addresses and the query sources [9].

Bailey, Cooke, Jahanian Myrick and Sinha published a paper to describeand analyse the issues associated with deploying large-scale darknets. Theyevaluated the configuration and placement of darknets along with resourceprovisioning. They demonstrated that using a darknet as a monitoring tool isa productive and significant method to gain visibility into network threats andthe state of local networks and the global Internet as well [10].

Suzuki and Inoue proposed a practical alert-based system on darknetmonitoring for live networks called DirectAlert Environment for DarknetAndLivenet Unified Security (DAEDALUS), which monitors malicious packetstransmitted internally based on distributed darknets implemented in multipleorganizations. The architecture consisted of a centralised analysis center thatwas used to alert to the respective organizations in case of any securityviolations [2].

Each of these focuses on capturing and logging general malicious activityin the network. Our work focuses on deploying a test-bed to generate alertsbased on the most recent malware database and analyse vulnerabilities in thenetwork. As a practical use-case, the paper demonstrates how to extend thedarknet set-up to monitor the mobile communication network.

3 Architecture

This section describes the architecture of the cyber-security test-bed that isused to identify and log real-time attacks on the network. The test-bed isalso used to monitor a mobile communication network and identify real-timeattacks to it. As shown in Figure 1, the test-bed consists of two components -the darknet sensor server and the honeypot server. The sensor server analysesthe inbound traffic and relays it to the corresponding honeypot server. Theinformation about the packets and the alerts generated by the setup is accessibleby the system administrator for analysis.

The router is configured to re-route all the traffic destined to the darknetIP addresses (referred to as the darknet hereof) to the sensor server, which isdesigned to capture and log the packet information. Preliminary analysis isdone here and reports are generated periodically. The server then forwards thetraffic to the respective honeypot server. Figure 2 depicts the architecture ofthe honeypot server configured with services, which lure attackers to try andexploit the vulnerabilities in them.

Real-Time Attack Monitoring on Telecom Network Using Open-Source Darknet 191

Figure 1 Cyber-security test-bed setup.

Figure 2 Honeypot server architecture.

Such activities and threats to the system are detected in real-time andreported to the system administrator. The events generated by the honeypotservices, deployed in the server, are logged in the attack database. These areused to generate real-time reports and plot the location of the attacker on theworld map. Monitoring of a live mobile communication network is then addedas a service in the test-bed to identify and report real-time threats to it.

192 L. Sivakamy et al.

The greatest advantage of using this setup is that no major change isrequired in the existing network configurations of the organization. The test-bed can also be scaled on-demand.

4 Implementation of the Test-Bed

This section gives a detailed account of the implementation of the cyber-security test-bed. The implementation of the test-bed was carried out inthree phases. The first was the design of the sensor server and supportingcomponents. The second was designing and developing the server to generatereal-time alerts for potential threats. The last phase was to introduce the cyber-security test-bed on top of the end-to-end mobile communication network [1]to log and monitor threats to it.

4.1 Implementation of the Sensor Server

The setup is designed in such a way that the packets addressed to the darknetare re-routed to the darknet sensor for analysis. Ten unused IP addresses in a/24 network were monitored by this darknet sensor. For this, static routesare pre-set in the router’s settings. The sensor is configured with packetanalysis tools for deep packet inspection. Once the packets reach the sensorserver, they are analysed based on source and destination addresses, portsand protocols.

Snort [11] IDS is implemented in the sensor to give real-time alerts of allmalicious packets addressed to the darknet. The packet details are logged intothe MySQL [12] database. The IDS was enhanced to analyse packets using aspecially designed module that uses the most recent online malware databasesand repositories of blacklisted IPs to generate alerts. The sensor then forwardsthe packets destined to the honeypot to the development server which hostsseveral services. For this, the darknet sensor server is configured with twoNetwork Interface Cards (NICs)- one to sniff incoming traffic and the other toforward traffic to the honeypots. The honeypot server is designed to aggregatethe details of all such attacks and create real-time reports on the web front endand visualize the location of the attacker on the world map.

4.2 Implementation of the Honeypot Server

As discussed in Section 3, the Honeypot server is designed as a trap to enticeattackers to try and attack the system. Two honeypot servers are configuredwith fake web services and protocol emulations in separate Virtual Machines

Real-Time Attack Monitoring on Telecom Network Using Open-Source Darknet 193

(VMs) in the same network as that of the darknet. Global IP addresses areassigned to the servers to make them accessible from external networks. Thisis done to identify the different types of vulnerabilities in the network.

The Honeypot server consists of an Event Feeder that feeds the eventsgenerated by the Honeypot Services deployed in it. The Data-Sharing moduleaggregates the events. This module can be scaled to consolidate events fromservices deployed across multiple honeypot servers. The events are classifiedbased on pre-defined rules by the Data Analytics module and then storedin the Database. The origins of the attacks are plotted in real-time on theworld map by the GeoMapper. A Web Application frontend is designed tofacilitate administrative access to the dashboard for real-time management ofthe deployed services. The web frontend can also be used by administrators todeploy new honeypot services and edit or update the rules based on which theattacks are classified. The frontend is designed using Ruby-on-Rails to creategraphs and reports based on protocols, destination, source, ports, signatureand priority. The priorities are configured based on exploit-type, endangeredresources, and the severity and chronology of the attack. The classification ofthreats based on priority is a separate work in itself and is out of scope of thispaper. In case of high-severity events, the detailed incident report is sent tothe administrator.

4.3 Implementation of Mobile Communication NetworkMonitoring

The traffic destined to the mobile communication network is captured andanalysed by the IDS configured in the test-bed. The IDS uses rule-baseddetection to identify and generate alerts. This way, all traffic reaching theend-to-end mobile communication network [1] is screened by the test-bed togenerate real-time alerts.

5 Results

This section explains in detail the results obtained from the deployment of thetest-bed. Table 1 gives the distribution of the protocols of packets captured bythe set-up.

Figure 3 illustrates the distribution of TCP, UDP, GTP and SCTP packetsover time as logged by the test-bed. The figure describes the inflow of packetsto the LTE network. The details of the packets were logged by the sensorserver and alerts were generated based on pre-defined rules.

194 L. Sivakamy et al.

Table 1 Protocol DistributionProtocol Number of PacketsTCP 759095UDP 26163ICMP 5807

Figure 3 Distribution of packets based on protocol.

Figure 4 Distribution of packets based on ports.

Figure 4 shows the distribution of packets based on ports. The ports weresusceptible to heavy port scanning in periodic short bursts. Most of the activitylogged was mapped to IPs in China, USA, Brazil and UK.

Real-Time Attack Monitoring on Telecom Network Using Open-Source Darknet 195

Figure 5 Sample distribution of alerts (in packets per second).

Figure 5 shows the distribution of packets logged by the sensor per secondover period of three hours. The sensor server was pre-configured with rules toidentify potentially malicious packets. The alerts generated based on the ruleswere classified as high priority, medium priority and low priority based on theseverity of the threat.

The regions encircled in the graph in Figure 5 showed an abnormal upsurgein alert rates. Upon investigation, it was identified that alerts in regions A andC were of medium priority while region B had a high priority alert reported.

All anomalies over a period of one week were aggregated out of whichfew are listed in Sections 5.1 and 5.2.

5.1 Incidents Related to Port Scanning and SSH BruteforceAttacks

• Incident 1: Our test-bed reported a total of 12532 alerts from a specificIP address in short bursts, spanning a total of three hours. Upon furtherinvestigation, it was detected to be an SSH Brute force attack againstport 22.

• Incident 2: Our test-bed reported a total of 3893 packets from a specificIP address within a span of half an hour. Upon investigation, it wasidentified as an SSH Brute force attack against port 22.

• Incident 3: Our test-bed reported a total of 3291 packets sent to thenetwork by a group of IP addresses listed with the same subnet. Uponfurther investigation, it was detected to be an SSH Brute force attackagainst port 22. The attack continued over the span of two days withdifferent IP addresses carrying out the attack.

196 L. Sivakamy et al.

• Incident 4: We detected a total of 616 packets sent to the network by aspecific IP address under a span of three minutes. It was confirmed to bean SSH Brute force attack and port scan against port 22.

• Incident 5: Our test-bed reported an SSH Brute force attack, port scanand FTP Brute-force attack by a specific IP address in a span of less thanthree minutes against ports 22 and 443.

• Incident 6: Our test-bed reported an SSH Brute force attack and portscan by a specific IP address against ports 21, 22, 80 and 443.

5.2 Incidents Related to Malware

• Incident 1: Our test-bed reported multiple alerts from an IP that wasflagged as malicious due to several SSH login attempts. The IP addresswas previously flagged for threats such as Linux.DownLoader.115,Trojan.DownLoader19.51775 and Linux/Setag.B.Gen trojan.

• Incident 2: Our test-bed reported alerts from a specific IP address atbursts of two minutes with an average of 561 packets per each burstagainst ports TCP ports 443 and 137. Investigation of the IP addressreported that it was infected with malware and was involved in phishing.The malware and Trojan detected was Win32/DoS.FTP.KillCerb Trojan,Win32/Bagle.AB worm, Win32/Exploit.DCom.BW Trojan, Win32/Netsky.Q worm, HTML/Exploit.IESlice.AJ Trojan, Perl/DoS.NerttTrojan and VBS.Psyme.126 and Perl/Shellbot.NAK.Gen Trojan.

• Incident 3: Our test-bed reported alerts from a specific IP address,which upon investigation was reported earlier as malware. The specificthreats logged were Source Code/exploits/ms06-067-keyframe.html -HTML/Shellcode.Gen.

• Incident 4: Our test-bed reported an average of 142 alerts per sec-ond by a specific IP address. Investigation of the source IP addressreported that it was flagged for propagating malware such as Troj/SEO-A,Trojan.DownLoader13.6370 and W32/Felix:Process related!Eldorado.

• Incident 5: Our test-bed reported an average of 732 packets per minutefrom a specific IPaddress. Investigation of the IPaddress reported that theIP it was flagged for threats such as VBS/Worm and Perl/Exploit.WSFTTrojan.

• Incident 6: Our test-bed reported a high-priority attack from a specificIP address which had been blacklisted earlier for reportedly propagatingmalware such as BackDoor.OnionDuke.1 and HTML/Framer Virus.

Real-Time Attack Monitoring on Telecom Network Using Open-Source Darknet 197

6 Conclusion

The proposed cyber-security test-bed leverages darknet and honeypot deploy-ments to actively monitor networks in real-time. The simplicity of the setup liesin the fact that it can be scaled for any type of network, telecom or otherwise.The test-bed monitors malicious packets destined to the deployed services andalso monitors traffic within the network itself.

Based on pre-configured rules, the DataAnalytics module detects malwareinfections and other anomalies. All alerts are logged automatically. In case ofhigh severity threats, the administrator is intimated of the situation and anincident report is generated.

The setup also monitors a live end-to-end mobile communication networkto detect potential threats and attacks in real-time. Such real-time detectionreports become invaluable in securing and inoculating the network fromsimilar attacks.

Another feature of this setup is that multiple honeypot servers, deployedcan be connected to the sensor server. It is also well-equipped to handledynamic up-scaling. In such a case, events from all honeypot deploymentscan be aggregated and managed by the administrator simultaneously.

Operational results of the test-bed and incidents show that the cyber-security setup was successful in detecting malicious activity such as trojans,backdoors and worms in the network. Going forward, we will develop anintelligent system that automatically detects new attacks and also analysesthe strategies and technologies used by the attackers. And more specifi-cally, we will focus more on intrusion detection in the realm of Telecomnetwork-Monitoring-as-a-Service.

References

[1] George, K. J., Sivabalan, A., Prabhu, T., and Prasad, A. R. (2015).“End-to-End Mobile Communication Security Testbed Using OpenSource Applications in Virtual Environment.” J. ICT Standardization,3(1), 67–90.

[2] Suzuki Mio and Inoue Daisuke, (2017). “DAEDALUS: Practical AlertSystem Based on Large-scale Darknet Monitoring for Protecting LiveNetworks”, Journal of the National Institute of Information and Com-munications Technology, 58.

[3] Yegneswaran, V., Barford, P., and Plonka, D. (2004). “On the design anduse of Internet sinks for network abuse monitoring”. In International

198 L. Sivakamy et al.

Workshop on Recent Advances in Intrusion Detection, (pp. 146–165).Springer, Berlin, Heidelberg.

[4] Moore, D., Voelker, G., and Savage, S. (2001). “Inferring Internet Denialof Service Activity”, In 10th USENIX Security Symposium, WashingtonD.C.

[5] Moore, D., Shannon, C., Voelker, G. M., and Savage, S. (2004). “NetworkTelescopes: Technical Report”, Tech. rep., Cooperative Association forInternet Data Analysis (CAIDA), San Diego.

[6] Campbell, R. M., Padayachee, K., and Masombuka, T. (2015). “A surveyof honeypot research: Trends and opportunities”, In 10th InternationalConference for Internet Technology and Secured Transactions (ICITST).

[7] Scarfone, K., and Mell, P. (2007). “Guide to Intrusion Detection andPrevention Systems (IDPS)” (PDF). Computer Security Resource Center.National Institute of Standards and Technology (800–94). Retrieved 1January 2010.

[8] Cooke, E., Bailey, M., Watson, D., Jahanian, F., and Nazario, J. (2004).The Internet motion sensor: A distributed global scoped Internet threatmonitoring system. Technical Report CSE-TR-491-04, University ofMichigan, Electrical Engineering and Computer Science.

[9] Oberheide, J., Karir, M., and Mao, Z. M. (2007). Characterizing DarkDNS Behavior. In International Conference on Detection of Intrusionsand Malware, and Vulnerability Assessment (pp. 140–156). Springer,Berlin, Heidelberg.

[10] Bailey, M., Cooke, E., Jahanian, F., Myrick, A., and Sinha, S. (2006).Practical darknet measurement. In Information Sciences and Systems,40th Annual Conference (pp. 1496–1501). IEEE.

[11] Snort. Available at: https://www.snort.org/[12] MySQL. Available at: https://www.mysql.com/[13] Song, D., Malan, R., and Stone, R. (2001). A snapshot of global Internet

worm activity. Technical report, Arbor Networks.[14] Wang, Q., Chen, Z., and Chen, C. (2011). Darknet-based inference of

internet worm temporal characteristics. IEEE Transactions on Informa-tion Forensics and Security, 6(4), 1382–1393.

[15] Pang, R., Yegneswaran, V., Barford, P., Paxson, V., and Peterson, L.(2004). Characteristics of internet background radiation. In Procee-dings of the 4th ACM SIGCOMM conference on Internet measurement(pp. 27–40). ACM.

Real-Time Attack Monitoring on Telecom Network Using Open-Source Darknet 199

Biographies

S. Lakshminarayanan received B.E. in Computer Science and Engineeringfrom Rajalakshmi Institute of Technology, India in 2016. She has 20 months ofexperience in research and development of mobile communication networksand security standardization. At present she works as Member Technical Staffin NEC India Standardization (NIS) Team at NEC Mobile Network ExcellenceCenter (NMEC), NEC Technologies India Pvt Ltd, Chennai. In her currentrole, she is working on Security aspects of 5G systems and has applied forseveral patents on the same. Her research interest includes Cyber Security,Telecom Security and Machine Learning.

Pradheepkumar Singaravelu is a Senior Researcher at NEC-India. He hasaround 10 years of experience in Security domain in different areas such asNFV, IOT, 5G and LTE networks. He represents as one of the security expertfor NEC Corporation in global forum such as ETSI-NFV, 3GPP-SA3 and localforum like GISFI, TSDSI, etc. He was the Vice chair of the 5G Working Groupin TSDSI. Prior to joining NEC, he worked with Samsung Electronics, India.He worked as a Technical Leader of DTV security platform and Standardsgroup. He has filed several patents which cover a wide range of IoT, NFVand Smart Home Technology. He received Ph.D in Information Technologyfrom Indian Institute of Information Technology, Allahabad. He has publishedseveral research papers in reputed international journals and conferences.

200 L. Sivakamy et al.

S. Arumugam received Ph.D in Electrical Engineering from Indian Instituteof Technology Kanpur, India in 2008 and M.Tech degree from PondicherryUniversity, India, in 2000. He has 14 years of experience inAcademic teachingand Research. Presently he works as Assistant General Manager for Researchat NEC Mobile Network Excellence Center (NMEC), NEC Technologies IndiaPvt Ltd, Chennai. Prior joining NECI he was associated with ABB GlobalServices and Industries Limited, Bangalore as Associate Scientist. He haspublished more than 25 papers in various International Journals and Confer-ences and also participated in many National and International Conferences.In his current role, he is representing NEC for Global ICT Standards forumof India (GISFI). His research interest includes Next Generation WirelessNetworks.

A. R. Prasad, Dr. & ir., Delft University of Technology, The Netherlands,is Chief Advanced Technologist, Executive Specialist, at NEC Corporation,Japan, where he leads the mobile communications security activity. Anand isthe chairman of 3GPP SA3 (mobile communications security standardizationgroup), a member of the governing body of Global ICT Standardisation Forumfor India (GISFI), founder chairman of the Security & Privacy working groupand a governing council member of Telecom Standards Development Society,India. He was chairman of the Green ICT working group of GISFI. Beforejoining NEC, Anand led the network security team in DoCoMo Euro-Labs,Munich, Germany, as a manager. He started his career at Uniden Corporation,

Real-Time Attack Monitoring on Telecom Network Using Open-Source Darknet 201

Tokyo, Japan, as a researcher developing embedded solutions, such as mediumaccess control (MAC) and automatic repeat request (ARQ) schemes for wire-less local area network (WLAN) product, and as project leader of the softwaremodem team. Subsequently, he was a systems architect (as distinguishedmember of technical staff) for IEEE 802.11 based WLANs (WaveLAN andORiNOCO) in Lucent Technologies, Nieuwegein, The Netherlands, duringwhich period he was also a voting member of IEEE 802.11. After Lucent,Anand joined Genista Corporation, Tokyo, Japan, as a technical directorwith focus on perceptual QoS. Anand has provided business and technicalconsultancy to start-ups, started an offshore development center based onhis concept of cost effective outsourcing models and is involved in businessdevelopment.

Anand has applied for over 50 patents, has published 6 books and authoredover 50 peer reviewed papers in international journals and conferences. Hislatest book is on “Security in Next Generation Mobile Networks: SAE/LTEand WiMAX”, published by River Publishers, August 2011. He is a serieseditor for standardization book series and editor-in-chief of the Journal ofICT Standardisation published by River Publishers, an Associate Editor ofIEEK (Institute of Electronics Engineers of Korea) Transactions on SmartProcessing & Computing (SPC), advisor to Journal of Cyber Security andMobility, and chair/committee member of several international activities.

He is a recipient of the 2014 ITU-AJ “Encouragement Award: ICTAccomplishment Field” and the 2012 (ISC)2 Asia Pacific InformationSecurity Leadership Achievements (ISLA) Award as a Senior InformationSecurity Professional. Anand is Certified Information Systems SecurityProfessional (CISSP), Fellow IETE and Senior Member IEEE and a NECCertified Professional (NCP).